11 Recommended Threat Modeling Tools
11 Recommended Threat Modeling Tools
In case you hadn’t guessed by now, we are passionate about threat modeling, and ensuring secure by design practices are rolled out across an entire SDLC. To get you started, budget or knowledge shouldn’t be a showstopper. So here is a rundown of our pick of the best free tools, plus those you can buy if you have some budget to spend on proactive security.
Free threat modeling tools
These tools are great to get you started with threat modeling and understanding all the interlinking principles. Or to simply start diagramming and getting a view of your architecture in software such as Miro.
OWASP Threat Dragon
- Summary: Threat Dragon is more than just its likable logo. Threat Dragon updates its GitHub repo a few times a year, and enables users to categorize threats for STRIDE LINDDUN and others. Plus you can run as a web app or desktop.
- Website: https://owasp.org/www-project-threat-dragon/
- Cost: Free open source
- Use case: OWASP Threat Dragon provides a free, open-source, threat modeling application that is powerful and easy to use. It can be used for categorizing threats using STRIDE, LINDDUN CIA, DIE and PLOT4ai.
- What makes it great: Threat Dragon follows the values and principles of the threat modeling manifesto, and as said above, it adopts STRIDE from Microsoft which is a popular methodology, along with others that add further value.
- Notable features: It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application.
- Active on GitHub? Yes: https://github.com/OWASP/www-project-threat-dragon/blob/main/index.md
Microsoft Threat Modeling Tool
- Summary: Need to be walked through a threat modeling tool, or perhaps you aren’t a security expert? Then Microsoft Threat Modeling Tool may be exactly what you’re looking for. With lots of documentation and step by step guidance to get you started. Complete with generated threats after you build your diagram.
- Website: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
- Cost: Free
- Use case: Ideal for new users to threat modeling. It states it was created with non-security specialists in mind, hence it has a lot of guidance and focuses on ease of use.
- What makes it great: It feels like quite a complete threat modeling tool, as you also have some report capability. Plus a lot of documentation for ease of adoption, and even training modules.
- Notable features: Easy to download and get started, thanks to the documentation, but the easy to use framework of Microsoft Threat Modeling Tool.
- Active on GitHub? Yes, infrequent: https://github.com/microsoft/threat-modeling-templates
Threagile
- Summary: Threagile is the open-source toolkit which allows users to model an architecture with its assets in an agile declarative fashion as a YAML file directly inside the IDE or any YAML editor.
- Website: https://threagile.io/
- Cost: Free open source
- Use case: Great for Developers preferring to work in code or specifically YAML or JSON files. See this overview video here: https://www.youtube.com/watch?v=5n-8LqHMoJ0
- What makes it great: You can get the same information presented in different views/ categories. Depending on your requirements or role, when you go to the PDF report. Threagile is made for developers, and this is apparent in what is possible within the YAML file itself.
- Notable features: Excellent reporting, which gives a full breakdown of the threats and even color codes them by the level of risk (ie. orange or red). Plus a Management Summary and Risk Mitigation section. The report file has clickable links to go to specific risks to learn more.
- Active on Github? Yes: https://github.com/Threagile/threagile
AWS ThreatComposer
- Summary: This tool runs purely in the browser, using local storage mechanisms. This means the data you enter never leaves your computer unless you export it.
- Website: https://awslabs.github.io/threat-composer/workspaces/default/dashboard
- Cost: Free
- Use case: It does not have diagramming or questionnaires, but it is built upon a threat statement that you manually type in. It is quite manually but extremely easy to use - so much so that Amazon’s developers are using it.
- What makes it great: Can be exported as code (JSON file). It utilizes Adam Shostack's Four Question Framework as inspiration for how the tool is structured - in particular the 'what can go wrong?' question. In addition, it uses STRIDE built within it which is another popular threat modeling methodology.
- Active on Github? Yes: https://github.com/awslabs/threat-composer
Miro
- Summary: Great if you have previously been doing manual threat modeling, also known as whiteboarding, and are looking to do this online. A great halfway point if you aren’t ready to fully automate your threat modeling yet.
- Website: http://miro.com/
- Cost: Free (only if you need a single workspace with a maximum of 3 editable boards)
- Use case: Templates are useful if you’re unsure where to start or just want a little guidance and time saving. Its ease of use means this software is accessible to multiple users for varying uses.
- What makes it great: Keyboard shortcuts help to quickly and easily add shapes (components)
- Notable features: We recommend the ‘Data Flow Diagram’ Template for initial guidance
- Active on GitHub? N/A as this is a diagramming tool
Lucidchart
- Summary: Great if you have previously been doing manual threat modeling, also known as whiteboarding, and are looking to do this online. A great halfway point if you aren’t ready to fully automate your threat modeling yet.
- Website: https://www.lucidchart.com/pages/
- Cost: Free (of you only need one workspace, and limited shapes - up to 60)
- Use case: Similarly to Miro, Lucidchart is ideal if you are new to diagramming, or want to level up your whiteboard efforts.
- What makes it great: Being able to see example visuals in a preview format for the templates before selecting, helps to save time and get a headstart on building out your architecture. Instead of just using shapes to represent your components, Lucidchart gives you wider options for items like a router, switch, access points and so on to better represent what you need.
- Notable features: When you get started, it asks for your role to better tailor its content. So if you say you are in ‘Engineering’ it suggests options such as Flowcharts, Model Databases, UML Diagrams and Cloud Architecture, to name a few.
- Active on GitHub? N/A as this is a diagramming tool
Draw.io/ diagrams.net
- Summary: draw.io is a technology stack for building diagramming applications, on a browser-based end-user diagramming software. It is the only one we know of where you can start using without signing up!
- Website: https://www.drawio.com/
- Cost: Free
- Use case: Awesome for integrations if you want to link it up with GitHub, GitLab, Atlassian or other developer tools, plus Microsoft and Google Suites if you want to collaborate across teams.
- What makes it great: You can share your link with anyone and know any person you share it with can view your diagram. Being a truly free and open piece of software. No need to ask peers to sign up for anything.
- Notable features: Bring your storage to the online tool, or save locally with the desktop app.
- Active on GitHub? N/A as this is a diagramming tool
IriusRisk Community Edition
- Summary: It is no coincidence that our free threat modeling tool follows draw.io. As our Threat Modeling Tool diagramming function is built on draw.io for ease of use and familiarity in terms of functionality. Community Edition also has access to the security libraries that are in the Enterprise version. Complete with associated risks and countermeasures.
- Website: https://www.iriusrisk.com/community
- Cost: Free
- Use case: Ideal for users looking to move from whiteboard, or diagramming applications, into an automated threat modeling tool. For time saving and risk mitigation that could be missed by threat modeling manually.
- What makes it great: Methodology agnostic, meaning you can use STRIDE, OCTAVE or any others that you prefer to build out your architecture and see your associated threats.
- Notable features: Import capability for bringing in codes or templates from other tools. Users can also export Threats & Countermeasures as XLS or in XML formats, which is helpful if you are bringing this data into other software -applications.
- Active on Github? Yes: https://github.com/iriusrisk
Enterprise Tools
These best picks are great if you are an enterprise company, an organization that needs to scale, and/or have a cybersecurity budget to invest. Especially if you like to save on remediation costs, then these threat modeling tools could be for you. Some of these still have a free option to try out as well.
Aristiun
- Summary: Choose from STRIDE or a Risk Assessment approach, easy to use and assists you to work through the tool.
- Website: https://threat-modeling.com/
- Cost: Free
- Use case: Aristiun gives some helpful example use cases, for example using STRIDE in a healthcare organization, this tool is a good place to start to increase threat modeling knowledge
- What makes it great: It drops in a basic application diagram to get you started and maps threats to STRIDE.
- Notable features: Can choose from an Application Risk Assessment (ARA)or a STRIDE Assessment to get you started and provide associated risks. It walks you through an easy to use questionnaire which is broken down into sections for example in the ARA questionnaire, User Access Management, Encryption and Hardening to name a few.
- Active on Github? Yes: https://github.com/marketplace/aristiun-aribot
SD Elements
- Website: https://www.securitycompass.com/sdelements/
- Cost: Not shared on their website, you can request it here
- Use case: For DoD, Military or Federal markets, this seems a popular tool to use. Especially those looking for ATO approval.
- What makes it great: Questionnaire walks you through your application, components and context, it focuses on compliance needs and associated risks.
- Notable features: Developer guidance is built in at the security control level - and they’ve got a lot of helpful product documentation too to get you started quickly. They also have training modules if you need it.
- Active on Github? Yes: https://github.com/sdelements
IriusRisk Threat Modeling Tool
Of course we couldn’t write a blog about threat modeling tools without recommending our own. We’re not mad, you know. And we also know our product is a really great product (our users tell us so). And so we wrap up with IriusRisk Threat Modeling Tool.
- Website: (you’re on it but…https://www.iriusrisk.com/threat-modeling-platform)
- Cost: See our Plans. We have varying levels and pricing tiers, depending if you need 5 or 500 threat models.
- Use case: Ideal for critical infrastructure or industries that need to conform with legislation, such as transport, medical devices and finance. We have big and important standards in our tool, like NIST Revision 5, OWASP, GDPR, HIPPA and many many more.
- What makes it great: Flexibility and customization. We have a lot of components, threat libraries and risk patterns out-of-the-box, as well as threat modeling templates to get you started - but - need something different? You can add your own custom componentes, workflows and rules to further automate.
- Notable features: The first of its kind ML and AI threat library that allows users to threat model these systems and applications. A huge leap forward on software security and production of secure code.
- Active on Github? Yes: https://github.com/iriusrisk
What next?
Head over to our Resources area to see content filtered to ‘Intro to Threat Modeling’ or other subjects that will be useful for you to see. Signing up to our free threat modeling tool; Community Edition can be done here.
